Wednesday, March 15, 2006

Pogo's oft-quoted wisdom is probably no truer than when we look at how most of us treat our own data security needs.

The Eversheds firm in London, home to our member Jonathan Armstrong, sends along a short story about an experiment performed in London. Most of us have heard the term 'social engineering' to describe the practice of obtaining confidential information by social manipulation of legitimate users. Often, we have the image of some nefarious hacker, wearing a stolen uniform from the phone company, sweet talking the front-desk receptionist into handing over her password for a purported small fix to the system. But, maybe that hacker went to too much trouble? I will let Evershed's explain:

Alarmingly, an experiment carried out last month in London revealed that Security Policies are very easily undermined. IT skills specialist, the Training Camp handed out CDs to commuters explaining that they contained a special promotion. However, the CDs merely contained a programme which informed the Training Camp how many participants had tried to install the CD.

Despite the CD's packaging which advised participants to follow their company's acceptable use policy and which warned of the risks inherent in downloading unknown and unapproved third party software participants proceeded to open and install the CD and ultimately put the security of their company data at risk.

The CDs contained nothing harmful. However, the potential for damage to be caused by such a blatant breach of data security was immense particularly given that participants included both insurance and bank employees.